question

RT-7199 avatar image
0 Votes"
RT-7199 asked RT-7199 edited

EnforceCloudPasswordPolicyForPasswordSyncedUser with a federated domain

We already have Password Hash sync enabled and domain is federated but EnforceCloudPasswordPolicyForPasswordSyncedUser is set to False.

Do/Can we set EnforceCloudPasswordPolicyForPasswordSyncedUser for a federated domain, to match the password policy with on-prem.

I can run Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true but does that even do anything or will it create conflict if on-prem expiration policy is different for a federated domain.

Get-MsolPasswordPolicy  -DomainName "contoso.com" command doesn't work and I would assume Set-MsolPasswordPolicy would also not work.

I can however run it for "contoso.onmicrosoft.com" which is a managed domain.


If EnforceCloudPasswordPolicyForPasswordSyncedUser is not to be used on federated, what happens when user only authenticates to an Enterprise Application but does not redirect to ADFS and is authenticated by Azure AD itself but on-prem password is expired.

azure-active-directoryazure-ad-connectazure-ad-app-registrationazure-ad-hybrid-identityazure-ad-password-hash-sync
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bumping it up for some answer

1 Vote 1 ·

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered RT-7199 edited

Hi @RT-7199 • Thank you for reaching out. Please find my comments inline.

Do/Can we set EnforceCloudPasswordPolicyForPasswordSyncedUser for a federated domain, to match the password policy with on-prem.

EnforceCloudPasswordPolicyForPasswordSyncedUser is a tenant level setting and will apply cloud password policies to all synced users with password hash synced to cloud, regardless of whether domain is federated or not.

I can run Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true but does that even do anything or will it create conflict if on-prem expiration policy is different for a federated domain.

This setting won't have any impact if users are authenticated via on-premises federation server because the password validation will not happen against Azure AD. Whenever, password is changed on-premises, password hash get synced to cloud. If you are setting EnforceCloudPasswordPolicyForPasswordSyncedUsers to true, Microsoft recommendation is to keep same password expiration value at both cloud and on-premises.

If EnforceCloudPasswordPolicyForPasswordSyncedUser is not to be used on federated, what happens when user only authenticates to an Enterprise Application but does not redirect to ADFS and is authenticated by Azure AD itself but on-prem password is expired.

When you configure Azure AD policy to perform cloud authentication for federated users for a specific enterprise application, users are not redirected to federation server and authenticate directly from Azure AD. In the scenario where password expiration policy is conflicting and user's password is expired on-premises but have not been reset yet, he/she can still login using Azure AD credentials because password validation is being performed against Azure AD and the password is expired in on-premises but not in Azure AD. This is why the best practice is to keep password expiration same and configure password writeback if you are using SSPR in Azure AD.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 12
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft Thanks for replying. The issue is when I try to run Get-MsolPasswordPolicy I get below error, which I don't get with a managed domain.

PS C:\WINDOWS\system32> Get-MsolPasswordPolicy  -DomainName "contoso.com"
Get-MsolPasswordPolicy : Unknown error occurred.
At line:1 char:1
+ Get-MsolPasswordPolicy  -DomainName "contoso.com"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolPasswordPolicy], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DomainOperationNotAllowedException,Microsoft.Online.Administration.Automation.GetPasswordPolicy

The set command would be used to match the password policy but how can I verify results before and after running the set command. If the Get is not working that makes me unsure of running the Set and EnforceCloudPasswordPolicyForPasswordSyncedUser commands which can effect 1000s of users we have.


0 Votes 0 ·

@RT-7199 · This is expected in case of federated domain. The setting applies to the tenant and takes effect only when authentication is done against Azure AD and not the federation server. Which is why you get the error when you specify the federated domain in Get-MsolPassword Policy.

0 Votes 0 ·
RT-7199 avatar image RT-7199 amanpreetsingh-msft ·

@amanpreetsingh-msft So how do we match the password expiration policy because on-prem doesn't match the default 90 day of Azure.

0 Votes 0 ·
Show more comments